Answered by:

Front End Service Fails on Cert Change

Question

After getting the OCS 2007 IM working internally, I wanted to resolve the address book issue. Everything I read indicated that the certificate I was using didn't have the appropriate SAN. The Subject name on the cert wasn't the same as the internal FQDN, but I placed a CNAME record into the DNS forwarding the Subject name to the CNAME and manually configured the OC client to use the Subject name and TLS to log on. This allowed me to get the OC client working.But the Address book sync continued to elude me.

So I got test cert from a public CA that is fully trusted. The cert is name is the internal FQDN and what would be the external FQDN is now in the Subject Alternate name. The DNS appears to resolve properly and all was working (save the address book).

Today I received the new cert that was properly using the internal FQDN and set the external FQDN as a SAN.I changed the DNS SRV records from the External FQDN to the internal FQDN. Then I the cert to the IIS. I then added the cert to the OCS snap in and restared the services.

Resolution works fine using both set type=srv and straight PING.

The problem is now the Front End service won't start.There is no listener and the remaining services have no problem. I can't run a validate because the front end service is failing.I have fun the OCSTrust.vbs to make sure it trusts the server appropriately. The account is not locked out and the password is still the same password that I set orginally 1 week ago.

Suggestions would be well appreciated.

error include:Unable to start the stack.

Error: 0x0xC3E93C47 (SIPPROXY_E_BAD_SERVER_CONFIGURATION).

+++++++++++++++++++++++++++++++++

Failed starting the protocol stack. The service has to stop

Error code is:0xC3E93C47 (SIPPROXY_E_BAD_SERVER_CONFIGURATION).Cause: Check the previous entries in the event log for the failure reason.Resolution:Try restarting the server after resolving the failures listed in the previous event log entries.

+++++++++++++++++++++++++++++++++

Office Communications Server Snap-in failed to start service: Service Name = RTCSRV HRESULT = 0x8007042A Error Description = The service has returned a service-specific error code.+++++++++++++++++++++++++++++++++

Transport:TLS, IP address:*, Port:5061. Error:0x0xC3E93C0C (SIP_E_STACK_NO_TRANSPORT_CERT).Cause: The certificate may have been deleted or the configuration is erroneous.Resolution:Ensure that a valid certificate is present in the local computer certificate store. Also ensure that the server has sufficient privileges to access the store.

Saturday, December 01, 2007 2:49 AM

Answers

the orginal stimulus was to get rid of the "Caution" mark on the Address book.I had to change my cert to use a proper FQDN and Subject Alternate Name.Turns out that I needed to remove the internal FQDN from the Global Edge settings. Once I removed that reference. The system came right up.

Thanks for the suggestion though.

Saturday, December 01, 2007 8:48 PM

All replies

Was your original problem that internal clients couldn't download the address book, or external clients? If the latter, have you created a reverse proxy rule using ISA? If so then you should use two seperate certificates for that setup.

the orginal stimulus was to get rid of the "Caution" mark on the Address book.I had to change my cert to use a proper FQDN and Subject Alternate Name.Turns out that I needed to remove the internal FQDN from the Global Edge settings. Once I removed that reference. The system came right up.